747 matches found
Huge IT Googlemaps,1.0.9,SQL Injection
Huge IT Googlemaps,1.0.9, Multiple SQL Injection vulnerabilities...
Breezing Forms Lite
Breezing Forms Lite before build 912 Information disclosure Resolution: update to latest version Update notice: https://crosstec.org/en/blog/859-breezingforms-medium-security-update.html...
cckseblod 1.x Directory Traversal
comcckseblod aka seblod 1.x for Joomla 1.5 1.9.0 and all previous versions Directory Traversal Resolution: update to 1.9.1 Update notice: http://www.seblod.com/changelogs?sebchangelogproduct=cck1x Developer states that Seblod 3.x, the version compatible with Joomla 2.5 and 3, is not vulnerable...
Jinc, all versions,
Jinc, all versions, XSS Cross Site Scripting UpdateNotice URL http://lhacky.altervista.org/jextensions/index.php/component/content/article/21-news/jinc/100-security-issue-on-jinc-1-0-1...
MT Fire Eagle
LFI http://joomlacode.org/gf/project/jfireeagle/frs/http://www.moto-treks.com 190410 product considered retired and to be replaced by dev Authors:...
Coupon manager, 3.5
Coupon manager by joomla6teen.com, 3.5, SQL Injection...
Huge IT gallery,1.1.5,SQL Injection
Huge IT gallery,1.1.5,SQL Injection resolution: update to 1.1.9...
SimpleImageUpload by Tuts4You, 1.2 and below, Other
SimpleImageUpload by Tuts4You, 1.2, Other...
Events Booking, 1.6.7 and lower, (module: Search Events)
Events Booking 1.6.7 =Vulnerability: XSS Cross Site Scripting Extension Update Details This issue only affect the search module Search Events which comes with Events Booking. We released version 1.6.8 to address this issue...
extplorer, 2.1.4 and below
extplorere, ID,DT, release of 2.1.5 http://extplorer.net/news/14...
Cobalt,8.270
Cobalt, , DT/permissions developer update Notice updated http://www.mintjoomla.com/blog/item/279-update-cobalt-v-8-279-stable.html...
[20260517] - Core - Incorrect Cache Key Construction for InputFilter objects
The InputFilter::getInstance method omitted a security sensitive parameter from the instance cache key...
HikaShop, 5.1.3, Other ACL
Update to Hikashop 5.1.4 . No other details on this exploit will be release...
Joomanager, other
Joomanager from joomanager.com, 2.0.0 and previous versions users are advised to uninstall immediately...
One Vote,1.1.1,SQL Injection
One Vote by advcomsys.com, 1.1.1 and previous, SQL Injection resolution: update to 1.2.2 update notice: http://www.advcomsys.com/joomla-demos...
phoc commander, varios,
Update to latest secure version https://www.phoca.cz/news/1384-phoca-commander-version-5-0-2-and-4-0-1-released...
rsblog
Extension: RSBlog! Version: Old 1.14.4, 1.14.5 / New 1.14.6 Update details: Versions affected 1.11.6 to 1.14.5 Stored XSS allows remote authenticated attackers to inject arbitrary web script or HTML via the tag parameter. Fixed in 1.14.6 Update URL:...
UserExtranet,1.3.2,SQL Injection
UserExtranet by Beesto.com, 1.3.2 and previous, SQL Injection resolution: update to 1.3.3 update notice: http://www.beesto.com/forum/read.php?30,2085...
GPS Tools v4.0.1,4.0.1,SQL Injection
GPS Tools v4.0.1,4.0.1,SQL Injection Developer release statement to the vel team https://www.corejoomla.com/news/1163-gps-tools-v4-0-2-is-released.html...
rsmail
Extension: RSMail! Version: Old 1.22.26, 1.22.27, 1.22.28 / New 1.22.29 Update details: Versions affected 1.19.20 through 1.22.28. Self XSS allows remote authenticated attackers to inject arbitrary web script or HTML via a crafted parameter. Fixed in 1.22.29 Update URL:...
rsdirectory
Extension: RSDirectory! Version: Old 2.2.7 / New 2.2.8 Update details: Versions affected 1.0.0 through 2.2.7 Stored XSS allows remote authenticated attackers to inject arbitrary web script or HTML via the review reply component. Fixed in 2.2.8 Update URL:...
[20260705] - Core - XSS in various modalreturn layouts
Lack of escaping leads to XSS vulnerabilities in modalreturn layouts of various components...
[20260304] - Core - XSS vectors in various article title outputs
Lack of output escaping for article titles leads to XSS vectors in various locations...
[20260302] - Core - SQL injection in com_content articles webservice endpoint
Improperly built order clauses lead to a SQL injection vulnerability in the articles webservice endpoint...
LM-CUSTOM-ADMIN, , Other
Version: Old 2.7.3 / New 2.7.4 Update details: block cde php shellexec Update URL: https://lomart.fr/extensions-blog/38-modules-administrator/125-lm-custom-administrator Changelog URL:...
[20260711] - Core - Incorrect Access Control in com_privacy webservice endpoints
An improper access check allows unauthorized users to access comprivacy datasets...
[20260301] - Core - ACL hardening in com_ajax
The ajax component was excluded from the default logged-in-user check in the administrative area. This behavior was potentially unexpected by 3rd party developers...
[20260708] - Core - XSS through language overrides
Improper validation leads to a generic XSS vector in the language override feature...
[20260704] - Core - XSS in com_templates
Lack of escaping leads to an XSS vulnerability in the file management view of comtemplates...
[20260703] - Core - XSS in MFA method management
Lack of validation leads to an XSS vulnerability in the MFA management views...
[20260710] - Core - Incorrect Access Control in com_modules
An improper access check allows users to display a list of modules in the frontend...
[20260706] - Core - XSS in com_installer
Lack of escaping leads to an XSS vulnerability in the update list view of cominstaller...
[20260707] - Core - XSS in the generic image output layout
Lack of escaping leads to an XSS vulnerability in the generic image output layout...
[20260712] - Core - Incorrect Access Control in com_fields webservice endpoints
An improper access check allows unauthorized users to create custom fields via webservices endpoints...
[20260709] - Core - Incorrect Access Control in com_workflow
An improper access check allows unauthorized users to access workflow stage and transition information...
[20260508] - Core - Improper access check in com_config webservice endpoints
An improper access check allows unauthorized access to comconfig webservice endpoints...
[20260503] - Core - XSS in com_contenthistory
Lack of output escaping leads to a XSS vector in the content history component...
[20260507] - Core - Authenticated blind SQLi in com_tags
Improperly validated order clauses lead to a SQL injection vulnerability in comtags...
[20260505] - Core - CSRF in user activation endpoint
Lack of CSRF token validation lead to a CSRF attack vector in the admin activation endpoint of comusers...
[20260702] - Core - Incorrect Access Control in com_contact vcf download
An improper access check allows user to download vcard exports of comcontact contacts that are inaccessible...
[20260701] - Core - Incorrect Access Control in com_media webservice endpoints
An improper access check allows privileged users to overwrite media files without editing permissions...
[20260509] - Core - LFI in HTMLView layout parameter
An improper validation of user-supplied input leads to a local file inclusion vulnerability...
[20260510] - Core - Path traversal in com_media webservice endpoint
An improper validation of the search parameter of the commedia files API endpoint leads to a path traversal vulnerability...
[20260504] - Core - XSS in readmore links
Lack of output escaping leads to a XSS vector in the content history component...
[20260502] - Core - XSS in com_associations
Lack of output escaping leads to a XSS vector in the multilingual associations component...
[20260506] - Core - Authenticated blind SQLi in com_finder
Improperly built filter clauses lead to a SQL injection vulnerability in the search query for comfinder...
[20260501] - Core - XSS in feed modules
Lack of output escaping leads to a XSS vector in the feed modules...